evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6

Browse source 
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: ohci: fix crashes with TSB43AB23 on 64bit systems
  firewire: core: fix use-after-free regression in FCP handler
  firewire: cdev: add_descriptor documentation fix
  firewire: core: add_descriptor size check
This commit is contained in:
Linus Torvalds 2010-01-28 12:56:23 -08:00
commit b39bda6e73
4 changed files with 70 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
drivers/firewire/core-card.c
View file

@ -57,6 +57,8 @@ static LIST_HEAD(descriptor_list);
static int descriptor_count; static int descriptor_count;
static __be32 tmp_config_rom[256]; static __be32 tmp_config_rom[256];
/* ROM header, bus info block, root dir header, capabilities = 7 quadlets */
static size_t config_rom_length = 1 + 4 + 1 + 1;
#define BIB_CRC(v) ((v) << 0) #define BIB_CRC(v) ((v) << 0)
#define BIB_CRC_LENGTH(v) ((v) << 16) #define BIB_CRC_LENGTH(v) ((v) << 16)
@ -73,7 +75,7 @@ static __be32 tmp_config_rom[256];
#define BIB_CMC ((1) << 30) #define BIB_CMC ((1) << 30)
#define BIB_IMC ((1) << 31) #define BIB_IMC ((1) << 31)
static size_t generate_config_rom(struct fw_card *card, __be32 *config_rom) static void generate_config_rom(struct fw_card *card, __be32 *config_rom)
{ {
struct fw_descriptor *desc; struct fw_descriptor *desc;
int i, j, k, length; int i, j, k, length;
@ -130,23 +132,30 @@ static size_t generate_config_rom(struct fw_card *card, __be32 *config_rom)
for (i = 0; i < j; i += length + 1) for (i = 0; i < j; i += length + 1)
length = fw_compute_block_crc(config_rom + i); length = fw_compute_block_crc(config_rom + i);
return j; WARN_ON(j != config_rom_length);
} }
static void update_config_roms(void) static void update_config_roms(void)
{ {
struct fw_card *card; struct fw_card *card;
size_t length;
list_for_each_entry (card, &card_list, link) { list_for_each_entry (card, &card_list, link) {
length = generate_config_rom(card, tmp_config_rom); generate_config_rom(card, tmp_config_rom);
card->driver->set_config_rom(card, tmp_config_rom, length); card->driver->set_config_rom(card, tmp_config_rom,
config_rom_length);
} }
} }
static size_t required_space(struct fw_descriptor *desc)
{
/* descriptor + entry into root dir + optional immediate entry */
return desc->length + 1 + (desc->immediate > 0 ? 1 : 0);
}
int fw_core_add_descriptor(struct fw_descriptor *desc) int fw_core_add_descriptor(struct fw_descriptor *desc)
{ {
size_t i; size_t i;
int ret;
/* /*
* Check descriptor is valid; the length of all blocks in the * Check descriptor is valid; the length of all blocks in the
@ -162,15 +171,21 @@ int fw_core_add_descriptor(struct fw_descriptor *desc)
mutex_lock(&card_mutex); mutex_lock(&card_mutex);
list_add_tail(&desc->link, &descriptor_list); if (config_rom_length + required_space(desc) > 256) {
descriptor_count++; ret = -EBUSY;
if (desc->immediate > 0) } else {
list_add_tail(&desc->link, &descriptor_list);
config_rom_length += required_space(desc);
descriptor_count++; descriptor_count++;
update_config_roms(); if (desc->immediate > 0)
descriptor_count++;
update_config_roms();
ret = 0;
}
mutex_unlock(&card_mutex); mutex_unlock(&card_mutex);
return 0; return ret;
} }
EXPORT_SYMBOL(fw_core_add_descriptor); EXPORT_SYMBOL(fw_core_add_descriptor);
@ -179,6 +194,7 @@ void fw_core_remove_descriptor(struct fw_descriptor *desc)
mutex_lock(&card_mutex); mutex_lock(&card_mutex);
list_del(&desc->link); list_del(&desc->link);
config_rom_length -= required_space(desc);
descriptor_count--; descriptor_count--;
if (desc->immediate > 0) if (desc->immediate > 0)
descriptor_count--; descriptor_count--;
@ -428,7 +444,6 @@ EXPORT_SYMBOL(fw_card_initialize);
int fw_card_add(struct fw_card *card, int fw_card_add(struct fw_card *card,
u32 max_receive, u32 link_speed, u64 guid) u32 max_receive, u32 link_speed, u64 guid)
{ {
size_t length;
int ret; int ret;
card->max_receive = max_receive; card->max_receive = max_receive;
@ -437,8 +452,8 @@ int fw_card_add(struct fw_card *card,
mutex_lock(&card_mutex); mutex_lock(&card_mutex);
length = generate_config_rom(card, tmp_config_rom); generate_config_rom(card, tmp_config_rom);
ret = card->driver->enable(card, tmp_config_rom, length); ret = card->driver->enable(card, tmp_config_rom, config_rom_length);
if (ret == 0) if (ret == 0)
list_add_tail(&card->link, &card_list); list_add_tail(&card->link, &card_list);

50
drivers/firewire/core-cdev.c
View file

@ -35,6 +35,7 @@
#include <linux/preempt.h> #include <linux/preempt.h>
#include <linux/sched.h> #include <linux/sched.h>
#include <linux/spinlock.h> #include <linux/spinlock.h>
#include <linux/string.h>
#include <linux/time.h> #include <linux/time.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
#include <linux/vmalloc.h> #include <linux/vmalloc.h>
@ -595,13 +596,20 @@ static int ioctl_send_request(struct client *client, void *buffer)
client->device->max_speed); client->device->max_speed);
} }
static inline bool is_fcp_request(struct fw_request *request)
{
return request == NULL;
}
static void release_request(struct client *client, static void release_request(struct client *client,
struct client_resource *resource) struct client_resource *resource)
{ {
struct inbound_transaction_resource *r = container_of(resource, struct inbound_transaction_resource *r = container_of(resource,
struct inbound_transaction_resource, resource); struct inbound_transaction_resource, resource);
if (r->request) if (is_fcp_request(r->request))
kfree(r->data);
else
fw_send_response(client->device->card, r->request, fw_send_response(client->device->card, r->request,
RCODE_CONFLICT_ERROR); RCODE_CONFLICT_ERROR);
kfree(r); kfree(r);
@ -616,6 +624,7 @@ static void handle_request(struct fw_card *card, struct fw_request *request,
struct address_handler_resource *handler = callback_data; struct address_handler_resource *handler = callback_data;
struct inbound_transaction_resource *r; struct inbound_transaction_resource *r;
struct inbound_transaction_event *e; struct inbound_transaction_event *e;
void *fcp_frame = NULL;
int ret; int ret;
r = kmalloc(sizeof(*r), GFP_ATOMIC); r = kmalloc(sizeof(*r), GFP_ATOMIC);
@ -627,6 +636,18 @@ static void handle_request(struct fw_card *card, struct fw_request *request,
r->data = payload; r->data = payload;
r->length = length; r->length = length;
if (is_fcp_request(request)) {
/*
* FIXME: Let core-transaction.c manage a
* single reference-counted copy?
*/
fcp_frame = kmemdup(payload, length, GFP_ATOMIC);
if (fcp_frame == NULL)
goto failed;
r->data = fcp_frame;
}
r->resource.release = release_request; r->resource.release = release_request;
ret = add_client_resource(handler->client, &r->resource, GFP_ATOMIC); ret = add_client_resource(handler->client, &r->resource, GFP_ATOMIC);
if (ret < 0) if (ret < 0)
@ -640,13 +661,15 @@ static void handle_request(struct fw_card *card, struct fw_request *request,
e->request.closure = handler->closure; e->request.closure = handler->closure;
queue_event(handler->client, &e->event, queue_event(handler->client, &e->event,
&e->request, sizeof(e->request), payload, length); &e->request, sizeof(e->request), r->data, length);
return; return;
failed: failed:
kfree(r); kfree(r);
kfree(e); kfree(e);
if (request) kfree(fcp_frame);
if (!is_fcp_request(request))
fw_send_response(card, request, RCODE_CONFLICT_ERROR); fw_send_response(card, request, RCODE_CONFLICT_ERROR);
} }
@ -717,18 +740,17 @@ static int ioctl_send_response(struct client *client, void *buffer)
r = container_of(resource, struct inbound_transaction_resource, r = container_of(resource, struct inbound_transaction_resource,
resource); resource);
if (r->request) { if (is_fcp_request(r->request))
if (request->length < r->length) goto out;
r->length = request->length;
if (copy_from_user(r->data, u64_to_uptr(request->data), if (request->length < r->length)
r->length)) { r->length = request->length;
ret = -EFAULT; if (copy_from_user(r->data, u64_to_uptr(request->data), r->length)) {
kfree(r->request); ret = -EFAULT;
goto out; kfree(r->request);
} goto out;
fw_send_response(client->device->card, r->request,
request->rcode);
} }
fw_send_response(client->device->card, r->request, request->rcode);
out: out:
kfree(r); kfree(r);

4
drivers/firewire/ohci.c
View file

@ -2420,6 +2420,7 @@ static void ohci_pmac_off(struct pci_dev *dev)
#define PCI_VENDOR_ID_AGERE PCI_VENDOR_ID_ATT #define PCI_VENDOR_ID_AGERE PCI_VENDOR_ID_ATT
#define PCI_DEVICE_ID_AGERE_FW643 0x5901 #define PCI_DEVICE_ID_AGERE_FW643 0x5901
#define PCI_DEVICE_ID_TI_TSB43AB23 0x8024
static int __devinit pci_probe(struct pci_dev *dev, static int __devinit pci_probe(struct pci_dev *dev,
const struct pci_device_id *ent) const struct pci_device_id *ent)
@ -2488,7 +2489,8 @@ static int __devinit pci_probe(struct pci_dev *dev,
#if !defined(CONFIG_X86_32) #if !defined(CONFIG_X86_32)
/* dual-buffer mode is broken with descriptor addresses above 2G */ /* dual-buffer mode is broken with descriptor addresses above 2G */
if (dev->vendor == PCI_VENDOR_ID_TI && if (dev->vendor == PCI_VENDOR_ID_TI &&
dev->device == PCI_DEVICE_ID_TI_TSB43AB22) (dev->device == PCI_DEVICE_ID_TI_TSB43AB22 ||
dev->device == PCI_DEVICE_ID_TI_TSB43AB23))
ohci->use_dualbuffer = false; ohci->use_dualbuffer = false;
#endif #endif

4
include/linux/firewire-cdev.h
View file

@ -380,7 +380,7 @@ struct fw_cdev_initiate_bus_reset {
* @immediate: If non-zero, immediate key to insert before pointer * @immediate: If non-zero, immediate key to insert before pointer
* @key: Upper 8 bits of root directory pointer * @key: Upper 8 bits of root directory pointer
* @data: Userspace pointer to contents of descriptor block * @data: Userspace pointer to contents of descriptor block
* @length: Length of descriptor block data, in bytes * @length: Length of descriptor block data, in quadlets
* @handle: Handle to the descriptor, written by the kernel * @handle: Handle to the descriptor, written by the kernel
* *
* Add a descriptor block and optionally a preceding immediate key to the local * Add a descriptor block and optionally a preceding immediate key to the local
@ -394,6 +394,8 @@ struct fw_cdev_initiate_bus_reset {
* If not 0, the @immediate field specifies an immediate key which will be * If not 0, the @immediate field specifies an immediate key which will be
* inserted before the root directory pointer. * inserted before the root directory pointer.
* *
* @immediate, @key, and @data array elements are CPU-endian quadlets.
*
* If successful, the kernel adds the descriptor and writes back a handle to the * If successful, the kernel adds the descriptor and writes back a handle to the
* kernel-side object to be used for later removal of the descriptor block and * kernel-side object to be used for later removal of the descriptor block and
* immediate key. * immediate key.